jdk-sandbox: comparison jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java

equal deleted inserted replaced

-:6a4eb8f53f91
+:6738c111d48f
 package sun.security.provider.certpath;
 import java.io.*;
 import java.math.BigInteger;
 import java.security.*;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CRLReason;
 import java.security.cert.X509Certificate;
-import java.security.cert.PKIXParameters;
+import java.util.Collections;
-import javax.security.auth.x500.X500Principal;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
-import java.util.Iterator;
 import sun.misc.HexDumpEncoder;
 import sun.security.x509.*;
 import sun.security.util.*;
 /**
 * </pre>
 *
 * @author      Ram Marti
 */
-class OCSPResponse {
+public final class OCSPResponse {
-// Certificate status CHOICE
+public enum ResponseStatus {
-public static final int CERT_STATUS_GOOD = 0;
+SUCCESSFUL,            // Response has valid confirmations
-public static final int CERT_STATUS_REVOKED = 1;
+MALFORMED_REQUEST,     // Illegal confirmation request
-public static final int CERT_STATUS_UNKNOWN = 2;
+INTERNAL_ERROR,        // Internal error in issuer
+TRY_LATER,             // Try again later
+UNUSED,                // is not used
+SIG_REQUIRED,          // Must sign the request
+UNAUTHORIZED           // Request unauthorized
+};
+private static ResponseStatus[] rsvalues = ResponseStatus.values();
 private static final Debug DEBUG = Debug.getInstance("certpath");
 private static final boolean dump = false;
-private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID;
+private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
-private static final ObjectIdentifier OCSP_NONCE_EXTENSION_OID;
+ObjectIdentifier.newInternal(new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
-static {
+private static final ObjectIdentifier OCSP_NONCE_EXTENSION_OID =
-ObjectIdentifier tmp1 = null;
+ObjectIdentifier.newInternal(new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
-ObjectIdentifier tmp2 = null;
-try {
+private static final int CERT_STATUS_GOOD = 0;
-tmp1 = new ObjectIdentifier("1.3.6.1.5.5.7.48.1.1");
+private static final int CERT_STATUS_REVOKED = 1;
-tmp2 = new ObjectIdentifier("1.3.6.1.5.5.7.48.1.2");
+private static final int CERT_STATUS_UNKNOWN = 2;
-} catch (Exception e) {
-// should not happen; log and exit
-}
-OCSP_BASIC_RESPONSE_OID = tmp1;
-OCSP_NONCE_EXTENSION_OID = tmp2;
-}
-// OCSP response status code
-private static final int OCSP_RESPONSE_OK = 0;
 // ResponderID CHOICE tags
 private static final int NAME_TAG = 1;
 private static final int KEY_TAG = 2;
 // Object identifier for the OCSPSigning key purpose
 private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
-private SingleResponse singleResponse;
+private final ResponseStatus responseStatus;
+private final Map<CertId, SingleResponse> singleResponseMap;
 // Maximum clock skew in milliseconds (15 minutes) allowed when checking
 // validity of OCSP responses
 private static final long MAX_CLOCK_SKEW = 900000;
 private static CRLReason[] values = CRLReason.values();
 /*
 * Create an OCSP response from its ASN.1 DER encoding.
 */
-// used by OCSPChecker
+OCSPResponse(byte[] bytes, Date dateCheckedAgainst,
-OCSPResponse(byte[] bytes, PKIXParameters params,
 X509Certificate responderCert)
 throws IOException, CertPathValidatorException {
-try {
+// OCSPResponse
-int responseStatus;
+if (dump) {
-ObjectIdentifier  responseType;
+HexDumpEncoder hexEnc = new HexDumpEncoder();
-int version;
+System.out.println("OCSPResponse bytes are...");
-CertificateIssuerName responderName = null;
+System.out.println(hexEnc.encode(bytes));
-Date producedAtDate;
+}
-AlgorithmId sigAlgId;
+DerValue der = new DerValue(bytes);
-byte[] ocspNonce;
+if (der.tag != DerValue.tag_Sequence) {
+throw new IOException("Bad encoding in OCSP response: " +
-// OCSPResponse
+"expected ASN.1 SEQUENCE tag.");
-if (dump) {
+}
-HexDumpEncoder hexEnc = new HexDumpEncoder();
+DerInputStream derIn = der.getData();
-System.out.println("OCSPResponse bytes are...");
-System.out.println(hexEnc.encode(bytes));
+// responseStatus
-}
+int status = derIn.getEnumerated();
-DerValue der = new DerValue(bytes);
+if (status >= 0 && status < rsvalues.length) {
-if (der.tag != DerValue.tag_Sequence) {
+responseStatus = rsvalues[status];
-throw new IOException("Bad encoding in OCSP response: " +
+} else {
-"expected ASN.1 SEQUENCE tag.");
+// unspecified responseStatus
-}
+throw new IOException("Unknown OCSPResponse status: " + status);
-DerInputStream derIn = der.getData();
+}
+if (DEBUG != null) {
-// responseStatus
+DEBUG.println("OCSP response status: " + responseStatus);
-responseStatus = derIn.getEnumerated();
+}
+if (responseStatus != ResponseStatus.SUCCESSFUL) {
+// no need to continue, responseBytes are not set.
+singleResponseMap = Collections.emptyMap();
+return;
+}
+// responseBytes
+der = derIn.getDerValue();
+if (!der.isContextSpecific((byte)0)) {
+throw new IOException("Bad encoding in responseBytes element " +
+"of OCSP response: expected ASN.1 context specific tag 0.");
+}
+DerValue tmp = der.data.getDerValue();
+if (tmp.tag != DerValue.tag_Sequence) {
+throw new IOException("Bad encoding in responseBytes element " +
+"of OCSP response: expected ASN.1 SEQUENCE tag.");
+}
+// responseType
+derIn = tmp.data;
+ObjectIdentifier responseType = derIn.getOID();
+if (responseType.equals(OCSP_BASIC_RESPONSE_OID)) {
 if (DEBUG != null) {
-DEBUG.println("OCSP response: " +
+DEBUG.println("OCSP response type: basic");
-responseToText(responseStatus));
+}
-}
+} else {
-if (responseStatus != OCSP_RESPONSE_OK) {
+if (DEBUG != null) {
-throw new CertPathValidatorException(
+DEBUG.println("OCSP response type: " + responseType);
-"OCSP Response Failure: " +
+}
-responseToText(responseStatus));
+throw new IOException("Unsupported OCSP response type: " +
-}
+responseType);
+}
-// responseBytes
-der = derIn.getDerValue();
+// BasicOCSPResponse
-if (! der.isContextSpecific((byte)0)) {
+DerInputStream basicOCSPResponse =
-throw new IOException("Bad encoding in responseBytes element " +
+new DerInputStream(derIn.getOctetString());
-"of OCSP response: expected ASN.1 context specific tag 0.");
-};
+DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
-DerValue tmp = der.data.getDerValue();
+if (seqTmp.length < 3) {
-if (tmp.tag != DerValue.tag_Sequence) {
+throw new IOException("Unexpected BasicOCSPResponse value");
-throw new IOException("Bad encoding in responseBytes element " +
+}
-"of OCSP response: expected ASN.1 SEQUENCE tag.");
-}
+DerValue responseData = seqTmp[0];
-// responseType
+// Need the DER encoded ResponseData to verify the signature later
-derIn = tmp.data;
+byte[] responseDataDer = seqTmp[0].toByteArray();
-responseType = derIn.getOID();
-if (responseType.equals(OCSP_BASIC_RESPONSE_OID)) {
+// tbsResponseData
-if (DEBUG != null) {
+if (responseData.tag != DerValue.tag_Sequence) {
-DEBUG.println("OCSP response type: basic");
+throw new IOException("Bad encoding in tbsResponseData " +
-}
+"element of OCSP response: expected ASN.1 SEQUENCE tag.");
-} else {
+}
-if (DEBUG != null) {
+DerInputStream seqDerIn = responseData.data;
-DEBUG.println("OCSP response type: " + responseType);
+DerValue seq = seqDerIn.getDerValue();
-}
-throw new IOException("Unsupported OCSP response type: " +
+// version
-responseType);
+if (seq.isContextSpecific((byte)0)) {
-}
+// seq[0] is version
+if (seq.isConstructed() && seq.isContextSpecific()) {
-// BasicOCSPResponse
+//System.out.println ("version is available");
-DerInputStream basicOCSPResponse =
+seq = seq.data.getDerValue();
-new DerInputStream(derIn.getOctetString());
+int version = seq.getInteger();
+if (seq.data.available() != 0) {
-DerValue[]  seqTmp = basicOCSPResponse.getSequence(2);
+throw new IOException("Bad encoding in version " +
-DerValue responseData = seqTmp[0];
+" element of OCSP response: bad format");
+}
-// Need the DER encoded ResponseData to verify the signature later
+seq = seqDerIn.getDerValue();
-byte[] responseDataDer = seqTmp[0].toByteArray();
+}
+}
-// tbsResponseData
-if (responseData.tag != DerValue.tag_Sequence) {
+// responderID
-throw new IOException("Bad encoding in tbsResponseData " +
+short tag = (byte)(seq.tag & 0x1f);
-" element of OCSP response: expected ASN.1 SEQUENCE tag.");
+if (tag == NAME_TAG) {
-}
+if (DEBUG != null) {
-DerInputStream seqDerIn = responseData.data;
+X500Name responderName = new X500Name(seq.getData());
-DerValue seq = seqDerIn.getDerValue();
+DEBUG.println("OCSP Responder name: " + responderName);
+}
-// version
+} else if (tag == KEY_TAG) {
-if (seq.isContextSpecific((byte)0)) {
+// Ignore, for now
-// seq[0] is version
+} else {
-if (seq.isConstructed() && seq.isContextSpecific()) {
+throw new IOException("Bad encoding in responderID element of " +
-//System.out.println ("version is available");
+"OCSP response: expected ASN.1 context specific tag 0 or 1");
-seq = seq.data.getDerValue();
+}
-version = seq.getInteger();
-if (seq.data.available() != 0) {
+// producedAt
-throw new IOException("Bad encoding in version " +
+seq = seqDerIn.getDerValue();
-" element of OCSP response: bad format");
+if (DEBUG != null) {
-}
+Date producedAtDate = seq.getGeneralizedTime();
-seq = seqDerIn.getDerValue();
+DEBUG.println("OCSP response produced at: " + producedAtDate);
 }
-}
+// responses
-// responderID
+DerValue[] singleResponseDer = seqDerIn.getSequence(1);
-short tag = (byte)(seq.tag & 0x1f);
+singleResponseMap
-if (tag == NAME_TAG) {
+= new HashMap<CertId, SingleResponse>(singleResponseDer.length);
-responderName = new CertificateIssuerName(seq.getData());
+if (DEBUG != null) {
-if (DEBUG != null) {
+DEBUG.println("OCSP number of SingleResponses: "
-DEBUG.println("OCSP Responder name: " + responderName);
++ singleResponseDer.length);
 }
-} else if (tag == KEY_TAG) {
+for (int i = 0; i < singleResponseDer.length; i++) {
-// Ignore, for now
+SingleResponse singleResponse
-} else {
+= new SingleResponse(singleResponseDer[i]);
-throw new IOException("Bad encoding in responderID element " +
+singleResponseMap.put(singleResponse.getCertId(), singleResponse);
-"of OCSP response: expected ASN.1 context specific tag 0 " +
+}
-"or 1");
-}
+// responseExtensions
+if (seqDerIn.available() > 0) {
-// producedAt
 seq = seqDerIn.getDerValue();
-producedAtDate = seq.getGeneralizedTime();
+if (seq.isContextSpecific((byte)1)) {
+DerValue[] responseExtDer = seq.data.getSequence(3);
-// responses
+for (int i = 0; i < responseExtDer.length; i++) {
-DerValue[] singleResponseDer = seqDerIn.getSequence(1);
+Extension responseExtension
-// Examine only the first response
+= new Extension(responseExtDer[i]);
-singleResponse = new SingleResponse(singleResponseDer[0]);
+if (DEBUG != null) {
+DEBUG.println("OCSP extension: " + responseExtension);
-// responseExtensions
+}
-if (seqDerIn.available() > 0) {
+if (responseExtension.getExtensionId().equals(
-seq = seqDerIn.getDerValue();
+OCSP_NONCE_EXTENSION_OID)) {
-if (seq.isContextSpecific((byte)1)) {
+/*
-DerValue[]  responseExtDer = seq.data.getSequence(3);
+ocspNonce =
-Extension[] responseExtension =
+responseExtension[i].getExtensionValue();
-new Extension[responseExtDer.length];
+*/
-for (int i = 0; i < responseExtDer.length; i++) {
+} else if (responseExtension.isCritical())  {
-responseExtension[i] = new Extension(responseExtDer[i]);
+throw new IOException(
-if (DEBUG != null) {
+"Unsupported OCSP critical extension: " +
-DEBUG.println("OCSP extension: " +
+responseExtension.getExtensionId());
-responseExtension[i]);
+}
 }
-if ((responseExtension[i].getExtensionId()).equals(
+}
-OCSP_NONCE_EXTENSION_OID)) {
+}
-ocspNonce =
-responseExtension[i].getExtensionValue();
+// signatureAlgorithmId
+AlgorithmId sigAlgId = AlgorithmId.parse(seqTmp[1]);
-} else if (responseExtension[i].isCritical())  {
-throw new IOException(
+// signature
-"Unsupported OCSP critical extension: " +
+byte[] signature = seqTmp[2].getBitString();
-responseExtension[i].getExtensionId());
+X509CertImpl[] x509Certs = null;
-}
-}
+// if seq[3] is available , then it is a sequence of certificates
-}
+if (seqTmp.length > 3) {
-}
+// certs are available
+DerValue seqCert = seqTmp[3];
-// signatureAlgorithmId
+if (!seqCert.isContextSpecific((byte)0)) {
-sigAlgId = AlgorithmId.parse(seqTmp[1]);
+throw new IOException("Bad encoding in certs element of " +
+"OCSP response: expected ASN.1 context specific tag 0.");
-// signature
+}
-byte[] signature = seqTmp[2].getBitString();
+DerValue[] certs = seqCert.getData().getSequence(3);
-X509CertImpl[] x509Certs = null;
+x509Certs = new X509CertImpl[certs.length];
+try {
-// if seq[3] is available , then it is a sequence of certificates
-if (seqTmp.length > 3) {
-// certs are available
-DerValue seqCert = seqTmp[3];
-if (! seqCert.isContextSpecific((byte)0)) {
-throw new IOException("Bad encoding in certs element " +
-"of OCSP response: expected ASN.1 context specific tag 0.");
-}
-DerValue[] certs = (seqCert.getData()).getSequence(3);
-x509Certs = new X509CertImpl[certs.length];
 for (int i = 0; i < certs.length; i++) {
 x509Certs[i] = new X509CertImpl(certs[i].toByteArray());
 }
-}
+} catch (CertificateException ce) {
+throw new IOException("Bad encoding in X509 Certificate", ce);
-// Check whether the cert returned by the responder is trusted
+}
-if (x509Certs != null && x509Certs[0] != null) {
+}
-X509CertImpl cert = x509Certs[0];
+// Check whether the cert returned by the responder is trusted
-// First check if the cert matches the responder cert which
+if (x509Certs != null && x509Certs[0] != null) {
-// was set locally.
+X509CertImpl cert = x509Certs[0];
-if (cert.equals(responderCert)) {
-// cert is trusted, now verify the signed response
+// First check if the cert matches the responder cert which
+// was set locally.
-// Next check if the cert was issued by the responder cert
+if (cert.equals(responderCert)) {
-// which was set locally.
+// cert is trusted, now verify the signed response
-} else if (cert.getIssuerX500Principal().equals(
-responderCert.getSubjectX500Principal())) {
+// Next check if the cert was issued by the responder cert
+// which was set locally.
-// Check for the OCSPSigning key purpose
+} else if (cert.getIssuerX500Principal().equals(
+responderCert.getSubjectX500Principal())) {
+// Check for the OCSPSigning key purpose
+try {
 List<String> keyPurposes = cert.getExtendedKeyUsage();
 if (keyPurposes == null ||
 !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
-if (DEBUG != null) {
-DEBUG.println("Responder's certificate is not " +
-"valid for signing OCSP responses.");
-}
 throw new CertPathValidatorException(
 "Responder's certificate not valid for signing " +
 "OCSP responses");
 }
+} catch (CertificateParsingException cpe) {
-// check the validity
+// assume cert is not valid for signing
-try {
+throw new CertPathValidatorException(
-Date dateCheckedAgainst = params.getDate();
+"Responder's certificate not valid for signing " +
-if (dateCheckedAgainst == null) {
+"OCSP responses", cpe);
-cert.checkValidity();
+}
-} else {
-cert.checkValidity(dateCheckedAgainst);
+// check the validity
-}
+try {
-} catch (GeneralSecurityException e) {
+if (dateCheckedAgainst == null) {
-if (DEBUG != null) {
+cert.checkValidity();
-DEBUG.println("Responder's certificate is not " +
-"within the validity period.");
-}
-throw new CertPathValidatorException(
-"Responder's certificate not within the " +
-"validity period");
-}
-// check for revocation
-//
-// A CA may specify that an OCSP client can trust a
-// responder for the lifetime of the responder's
-// certificate. The CA does so by including the
-// extension id-pkix-ocsp-nocheck.
-//
-Extension noCheck =
-cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
-if (noCheck != null) {
-if (DEBUG != null) {
-DEBUG.println("Responder's certificate includes " +
-"the extension id-pkix-ocsp-nocheck.");
-}
 } else {
-// we should do the revocating checking of the
+cert.checkValidity(dateCheckedAgainst);
-// authorized responder in a future update.
+}
-}
+} catch (GeneralSecurityException e) {
+throw new CertPathValidatorException(
-// verify the signature
+"Responder's certificate not within the " +
-try {
+"validity period", e);
-cert.verify(responderCert.getPublicKey());
+}
-responderCert = cert;
-// cert is trusted, now verify the signed response
+// check for revocation
+//
-} catch (GeneralSecurityException e) {
+// A CA may specify that an OCSP client can trust a
-responderCert = null;
+// responder for the lifetime of the responder's
+// certificate. The CA does so by including the
+// extension id-pkix-ocsp-nocheck.
+//
+Extension noCheck =
+cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
+if (noCheck != null) {
+if (DEBUG != null) {
+DEBUG.println("Responder's certificate includes " +
+"the extension id-pkix-ocsp-nocheck.");
 }
 } else {
-if (DEBUG != null) {
+// we should do the revocation checking of the
-DEBUG.println("Responder's certificate is not " +
+// authorized responder in a future update.
-"authorized to sign OCSP responses.");
+}
-}
-throw new CertPathValidatorException(
+// verify the signature
-"Responder's certificate not authorized to sign " +
+try {
-"OCSP responses");
+cert.verify(responderCert.getPublicKey());
-}
+responderCert = cert;
-}
+// cert is trusted, now verify the signed response
-// Confirm that the signed response was generated using the public
+} catch (GeneralSecurityException e) {
-// key from the trusted responder cert
+responderCert = null;
-if (responderCert != null) {
-if (! verifyResponse(responseDataDer, responderCert,
-sigAlgId, signature, params)) {
-if (DEBUG != null) {
-DEBUG.println("Error verifying OCSP Responder's " +
-"signature");
-}
-throw new CertPathValidatorException(
-"Error verifying OCSP Responder's signature");
 }
 } else {
-// Need responder's cert in order to verify the signature
-if (DEBUG != null) {
-DEBUG.println("Unable to verify OCSP Responder's " +
-"signature");
-}
 throw new CertPathValidatorException(
-"Unable to verify OCSP Responder's signature");
+"Responder's certificate is not authorized to sign " +
-}
+"OCSP responses");
-} catch (CertPathValidatorException cpve) {
+}
-throw cpve;
+}
-} catch (Exception e) {
-throw new CertPathValidatorException(e);
+// Confirm that the signed response was generated using the public
-}
+// key from the trusted responder cert
+if (responderCert != null) {
+if (!verifyResponse(responseDataDer, responderCert,
+sigAlgId, signature)) {
+throw new CertPathValidatorException(
+"Error verifying OCSP Responder's signature");
+}
+} else {
+// Need responder's cert in order to verify the signature
+throw new CertPathValidatorException(
+"Unable to verify OCSP Responder's signature");
+}
+}
+/**
+* Returns the OCSP ResponseStatus.
+*/
+ResponseStatus getResponseStatus() {
+return responseStatus;
 }
 /*
 * Verify the signature of the OCSP response.
 * The responder's cert is implicitly trusted.
 */
 private boolean verifyResponse(byte[] responseData, X509Certificate cert,
-AlgorithmId sigAlgId, byte[] signBytes, PKIXParameters params)
+AlgorithmId sigAlgId, byte[] signBytes)
-throws SignatureException {
+throws CertPathValidatorException {
 try {
 Signature respSignature = Signature.getInstance(sigAlgId.getName());
 respSignature.initVerify(cert);
 respSignature.update(responseData);
 if (respSignature.verify(signBytes)) {
 "Error verifying signature of OCSP Responder");
 }
 return false;
 }
 } catch (InvalidKeyException ike) {
-throw new SignatureException(ike);
+throw new CertPathValidatorException(ike);
 } catch (NoSuchAlgorithmException nsae) {
-throw new SignatureException(nsae);
+throw new CertPathValidatorException(nsae);
+} catch (SignatureException se) {
+throw new CertPathValidatorException(se);
 }
 }
-/*
+/**
-* Return the revocation status code for a given certificate.
+* Returns the SingleResponse of the specified CertId, or null if
+* there is no response for that CertId.
 */
-// used by OCSPChecker
+SingleResponse getSingleResponse(CertId certId) {
-int getCertStatus(SerialNumber sn) {
+return singleResponseMap.get(certId);
-// ignore serial number for now; if we support multiple
-// requests/responses then it will be used
-return singleResponse.getStatus();
-}
-// used by OCSPChecker
-CertId getCertId() {
-return singleResponse.getCertId();
-}
-Date getRevocationTime() {
-return singleResponse.getRevocationTime();
-}
-CRLReason getRevocationReason() {
-return singleResponse.getRevocationReason();
-}
-Map<String, java.security.cert.Extension> getSingleExtensions() {
-return singleResponse.getSingleExtensions();
-}
-/*
-* Map an OCSP response status code to a string.
-*/
-static private String responseToText(int status) {
-switch (status)  {
-case 0:
-return "Successful";
-case 1:
-return "Malformed request";
-case 2:
-return "Internal error";
-case 3:
-return "Try again later";
-case 4:
-return "Unused status code";
-case 5:
-return "Request must be signed";
-case 6:
-return "Request is unauthorized";
-default:
-return ("Unknown status code: " + status);
-}
-}
-/*
-* Map a certificate's revocation status code to a string.
-*/
-// used by OCSPChecker
-static String certStatusToText(int certStatus) {
-switch (certStatus)  {
-case 0:
-return "Good";
-case 1:
-return "Revoked";
-case 2:
-return "Unknown";
-default:
-return ("Unknown certificate status code: " + certStatus);
-}
 }
 /*
 * A class representing a single OCSP response.
 */
-private class SingleResponse {
+final static class SingleResponse implements OCSP.RevocationStatus {
-private CertId certId;
+private final CertId certId;
-private int certStatus;
+private final CertStatus certStatus;
-private Date thisUpdate;
+private final Date thisUpdate;
-private Date nextUpdate;
+private final Date nextUpdate;
-private Date revocationTime;
+private final Date revocationTime;
-private CRLReason revocationReason = CRLReason.UNSPECIFIED;
+private final CRLReason revocationReason;
-private HashMap<String, java.security.cert.Extension> singleExtensions;
+private final Map<String, java.security.cert.Extension> singleExtensions;
 private SingleResponse(DerValue der) throws IOException {
 if (der.tag != DerValue.tag_Sequence) {
 throw new IOException("Bad ASN.1 encoding in SingleResponse");
 }
 DerInputStream tmp = der.data;
 certId = new CertId(tmp.getDerValue().data);
 DerValue derVal = tmp.getDerValue();
 short tag = (byte)(derVal.tag & 0x1f);
-if (tag ==  CERT_STATUS_GOOD) {
+if (tag ==  CERT_STATUS_REVOKED) {
-certStatus = CERT_STATUS_GOOD;
+certStatus = CertStatus.REVOKED;
-} else if (tag == CERT_STATUS_REVOKED) {
-certStatus = CERT_STATUS_REVOKED;
 revocationTime = derVal.data.getGeneralizedTime();
 if (derVal.data.available() != 0) {
-int reason = derVal.getEnumerated();
+DerValue dv = derVal.data.getDerValue();
-// if reason out-of-range just leave as UNSPECIFIED
+tag = (byte)(dv.tag & 0x1f);
-if (reason >= 0 && reason < values.length) {
+if (tag == 0) {
-revocationReason = values[reason];
+int reason = dv.data.getEnumerated();
-}
+// if reason out-of-range just leave as UNSPECIFIED
+if (reason >= 0 && reason < values.length) {
+revocationReason = values[reason];
+} else {
+revocationReason = CRLReason.UNSPECIFIED;
+}
+} else {
+revocationReason = CRLReason.UNSPECIFIED;
+}
+} else {
+revocationReason = CRLReason.UNSPECIFIED;
 }
 // RevokedInfo
 if (DEBUG != null) {
 DEBUG.println("Revocation time: " + revocationTime);
 DEBUG.println("Revocation reason: " + revocationReason);
 }
-} else if (tag == CERT_STATUS_UNKNOWN) {
-certStatus = CERT_STATUS_UNKNOWN;
 } else {
-throw new IOException("Invalid certificate status");
+revocationTime = null;
+revocationReason = CRLReason.UNSPECIFIED;
+if (tag == CERT_STATUS_GOOD) {
+certStatus = CertStatus.GOOD;
+} else if (tag == CERT_STATUS_UNKNOWN) {
+certStatus = CertStatus.UNKNOWN;
+} else {
+throw new IOException("Invalid certificate status");
+}
 }
 thisUpdate = tmp.getGeneralizedTime();
 if (tmp.available() == 0)  {
 // we are done
+nextUpdate = null;
 } else {
 derVal = tmp.getDerValue();
 tag = (byte)(derVal.tag & 0x1f);
 if (tag == 0) {
 // next update
 // we are done
 } else {
 derVal = tmp.getDerValue();
 tag = (byte)(derVal.tag & 0x1f);
 }
+} else {
+nextUpdate = null;
 }
 }
 // singleExtensions
 if (tmp.available() > 0) {
 derVal = tmp.getDerValue();
 singleExtensions.put(ext.getId(), ext);
 if (DEBUG != null) {
 DEBUG.println("OCSP single extension: " + ext);
 }
 }
-}
+} else {
+singleExtensions = Collections.emptyMap();
+}
+} else {
+singleExtensions = Collections.emptyMap();
 }
 long now = System.currentTimeMillis();
 Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
 Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
 }
 /*
 * Return the certificate's revocation status code
 */
-private int getStatus() {
+@Override public CertStatus getCertStatus() {
 return certStatus;
 }
 private CertId getCertId() {
 return certId;
 }
-private Date getRevocationTime() {
+@Override public Date getRevocationTime() {
-return revocationTime;
+return (Date) revocationTime.clone();
 }
-private CRLReason getRevocationReason() {
+@Override public CRLReason getRevocationReason() {
 return revocationReason;
 }
-private Map<String, java.security.cert.Extension> getSingleExtensions() {
+@Override
-return singleExtensions;
+public Map<String, java.security.cert.Extension> getSingleExtensions() {
+return Collections.unmodifiableMap(singleExtensions);
 }
 /**
 * Construct a string representation of a single OCSP response.
 */
-public String toString() {
+@Override public String toString() {
 StringBuilder sb = new StringBuilder();
 sb.append("SingleResponse:  \n");
 sb.append(certId);
-sb.append("\nCertStatus: "+ certStatusToText(getCertStatus(null)) +
+sb.append("\nCertStatus: "+ certStatus + "\n");
-"\n");
+if (certStatus == CertStatus.REVOKED) {
-if (certStatus == CERT_STATUS_REVOKED) {
 sb.append("revocationTime is " + revocationTime + "\n");
 sb.append("revocationReason is " + revocationReason + "\n");
 }
 sb.append("thisUpdate is " + thisUpdate + "\n");
 if (nextUpdate != null) {

changeset 3841	6738c111d48f
parent 3314	1e9d33caef08
child 4209	e2e5a973b879